If you store files on Amazon AWS S3 and want to restrict access to them, you can do so by setting up an AWS CloudFront distribution with either Signed URLs or Signed Cookies. Signed Cookies are interesting if you want to use static file URLs and just make sure only people logged into your application can access the files. (But think twice which approach to use; I ended up going back to Signed URLs because I cannot set cookies in each scenario.)

The setup can look like this – note the use of a custom subdomain (a CNAME in your DNS) to access CloudFront to make sure the application can set cookies that reach CloudFront (using HTTPS with a custom subdomain requires extra hoops, by the way) – click to enlarge: